Need quick help with ActiveSync/Autodiscover

Having some issues after changing my MX record to point to my new Exchange 2010 server.  All users are still on the old 2003 server.  I believe the issues, which are ActiveSync and Autodiscover related, all stem from external DNS.  Hopefully someone can help me here.  When I use the Microsoft Exchange Server Remote Connectivity Analyzer, ActiveSync and Autodiscover fail.  Right now, I have my MX record still pointing to my 2003 server until I can get this resolved.

Using a Microsoft document, I had my ISP create an SRV record for autodisvoer for my domain.  no A record, just the SRV record.  At this stage, the test totally fails because it can't find an A record (was told to delete that).

I also see that when I DI have an A record for autodiscover, it ended up looking at our public website (hosted) for autodiscover, which it couldn't find, and it also was looking at the webhosts certificate....

I'm assuming this is because our domain name "" was included on my UCC certifiacte, and is also our external DNS name....
Who is Participating?
This issue is not direcly related to your UCC certificate.

I suppose, that your DNS configuration is not correct, as autodiscover points to your WWW provider.
Often this is caused, when no explicit autodiscover A record is set and you have a wildcard DNS entry for your domain (* pointing to your webserver.

Just create a A record for autodiscover.<> and point it to your new Exchange 2010 Server. Also point another A record e.g. owa.<> also to the Exchange 2010 Server.

In ESM check under CAS the settings for internal / external URLs to be correct.

And here, the certificate is important. For the configuration above, your certificate must contain the internal names (you can see them in the selfsigned cert from installation), and additionally autodiscover.<> and owa.<>

Now, if you create a test mailbox on E2010 server, Microsoft Exchange Server Remote Connectivity Analyzer should find no errors.
tenoverAuthor Commented:
-Just had the external A record added for

-There is no wildcard entry pointing to my webserver currently, only a "www" A record.

-I already have an external entry for "" in DNS.

-In ESM, the settings appear correct for the 2010 server.

The problem is with all the users who currently exist on the Exchange 2003 server.  If they go to OWA, they get the new 2010 login page, and when they type in their credentials, it does not redirect them to the legacy page.  This works like a charm internally.

The same users are immediately prompted for Exchange passwords on their iPhone.

I can recreate this issue at any time by simply changing my NAT policy to point to the 2010 server instead of the 2003 server.  

Because of the analyzer results, and the (non)redirect to, I was sure it had to do with either permissions somewhere or the certificate.
tenoverAuthor Commented:
Just confirmed that this is defintiely why autodiscover is not mail server is called "" and is hosted on our LAN behind our firewall.  I have a NAT policy for it.

Our internal and external domain names are the same, so for some reason when the autodiscover test happens, it immediately looks at the root domain "" which goes to the company that hosts our www site.

How can I fix this?  Do I need to modify me certificate?  Something I can do via external DNS??

This is really holding me back from moving forward.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

tenoverAuthor Commented:
Actually, I can get by without Autodiscover until later.....My main problem is that ActiveSync is not working and OWA is redirecting users to a blank page.
tenoverAuthor Commented:
Just switched over to the new 2010 serve to test.  The one user I've moved over to 2010 can then login to OWA and use AutoDiscover to configure an Activesync mobile client with no issues.

ANY and ALL existing 2003 users do not get directed to the old server, either through OWA or(it appears) through Activesync...

I'm still thinking permission/authentication issue between the two servers, but am not sure how to test/verify....

Your external a record should point to your internet ip, the right ports (80, 443) should be forwarded to your owa server and certificate should be loaded in iis and valid for your owa url.
As you. are getting blank page you should verify the connection in the iis log and probably neef to reconfig iis
tenoverAuthor Commented:
I figured this one out.  My bad.  NAT policy for legacy was incorrect.  Working on ActiveSync issues now.....As soon as I flip the switch to point to the new 2010 server, all mobile users can't sync.  Uggh.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.